FEATURE

May 2011 Computer Fraud & Security5

Navigating the new threat landscape

Add to this the volume of data accessed and released by Wikileaks, and it is clear that organisations are having difficulty in preventing classified information assets from walking out of the door. There is no doubt that the evolution of technology and the increased drive towards mobility has eased the process of information leak-ing out of organisations, and the onus is on organisations to protect and control access to classified information.

Threats on the move

The rise of the mobile workforce is a widely documented trend that is forever being highlighted within the business world. Research companies predict that the number of profession-als working on the move will reach 1.3 billion globally by 2013.1

This increase in the mobile global workforce goes hand in hand with an increase in criminal activity. Most elec-tronic communication is uncontrolled and unmonitored, creating more oppor-tunities for data to be lost, stolen or misused. In addition, employees load laptops and PCs with unauthorised and illegal applications that cause downtime, performance issues and additional sup-port calls, not to mention introducing security threats to the network. In the US alone, more than 250 million per-sonal records have been exposed due to security breaches, with the annual loss of intellectual property estimated

at over $200bn.2,3 Switch to the UK and the importance of tackling cyber-crime has greatly increased, with the UK Government pledging £63m to the police in order to help them better com-bat e-crime.4

The main threats businesses face today as a result of increasingly mobile, dynamic and unmonitored IT environments can be summarised in four points:• Borderless enterprise: data has

become decentralised through dispa-rate supply chains, outsourcing and a mobile workforce that needs collabo-ration and productivity technology to access corporate data.

• Increased insider risks: innocent mistakes such as losing removable devices such as USB sticks, coupled with malicious intentions to steal cor-porate data have increased, compris-ing more than 50% of serious data breach incidents.5 In a recent study, 53% of employees stated they would definitely take company data with them if they were laid off 6

• Organised external threats: sophis-ticated, organised criminal networks are now fuelling the black market with more than $5.6bn in stolen cor-porate and personal information.

• Consumerisation of IT: users are utilising tools for productivity, both hardware (eg, USB devices) and soft-ware (eg, Instant Messenger and other Web 2.0 applications like Twitter) in

the workplace, which add new layers of threat to your network.

With just these points in mind, the hacker and cybercrime community has become increasingly proactive in join-ing forces and exposing weaknesses in businesses’ armour. Traditional security defences are simply not able to plug vul-nerabilities effectively. As such, organisa-tions are having to change their security posture in a bid to tackle a new wave of sophisticated threats.

Cloud fuelling the fire

While managing IT risk is part of run-ning any company these days, the cloud provides IT departments with a whole new layer to the security challenge – and it’s one that many organisations have yet to overcome.

“It is becoming increasingly common for CIOs to sacrifice both network and physical security in order to provide cost savings”

Moving to a virtual environment to save on costs automatically introduces fresh risk on top of the existing risks of a mobile workforce. This essentially means that the very market driver for cloud computing is further exacerbating the situation by creating more vulner-abilities. People are attempting to load up as many applications as possible onto individual servers and – whether they do that within their own environ-ment or push it off into the cloud – it creates the same issue of introducing more vulnerabilities. It is becoming

Paul ZimskiPaul Zimski, Lumension

The threat landscape has evolved. It’s no longer just the disgruntled employee or even the opportunistic hacker with which organisations need to be concerned. Highly sophisticated and targeted attacks are on the rise. It all started with the China and Google hacks that saw the use of unprecedented tactics combining encryption and stealth programming to take advantage of an unknown hole in Internet Explorer. Then along came Stuxnet, a Windows worm designed to exploit four zero-day vulnerabilities in order to attack industrial systems in Iran.

FEATURE

Computer Fraud & Security May 20116

increasingly common for CIOs to sacri-fice both network and physical security in order to provide cost savings.

To add insult to injury, there are tools readily available that not only allow attackers to exploit vulnerabilities in applications running as part of virtual servers but also give them the power to take over the entire server. In a cloud environment, this is a security and com-pliance nightmare.

No doubt, 99 out of 100 cloud vendors do their due diligence by maintaining servers, regularly updat-ing patches on time, keeping servers securely configured and physically locking down datacentres. But there is always the chance that one will lag behind, leaving some of its virtual machines and applications unpatched and poorly configured. That one tiny chink in the armour is what the current hacker community is exploiting, and successfully too. It’s enough to allow cyber-criminals to take over entire sys-tems, not only having control over the ‘bad’ machine but also gaining access to other machines as well.

Reformed hacker Michael Calce – infamous for taking down websites such as CNN, eBay and Yahoo! in 2000 – agrees that trouble looms ahead if companies fail to apply the right secu-rity measures. “We’re basically putting everything into a single box, making it easier for hackers to access everything as

a result,” he says. “They’re ready to build Web 2.0 without even fixing Web 1.0.”

“With the removal of tra-ditional boundaries for IT, businesses need to look well beyond their immediate network and focus heavily on mobile and removable devices”

Is it worth the cost savings to be exposed to that risk? Interestingly, many organisations seem to think so. A report conducted jointly by EMC’s RSA secu-rity division and IDG Research Services interviewed 100 security executives at companies with revenues of £1bn or more. Of these executives, close to half said they either have enterprise applica-tions or business processes running in the cloud or will begin migration in the next year. At the same time, two-thirds don’t have a security strategy for cloud computing, a worrying statistic for those with such a significant revenue amount.

Ensuring that servers in datacentres are protected and that weaknesses are plugged before the hacker community can capitalise on them is only half the battle. With the removal of traditional boundaries for IT, businesses need to look well beyond their immediate net-work and focus heavily on the mobile and removable devices that are accessing this core network.

Focusing on the endpoint

The endpoint is much more than just a desktop. Endpoints now mean PDAs, tablets, smartphones and other mobile devices that have become commonplace in the business world.

Analysts have pointed to the fact that the endpoint is, perhaps, the most vul-nerable aspect of any organisation’s IT infrastructure. Recent research has also pointed to the fact that it’s not just the mobile devices that pose a problem and a threat, but also the applications the mobile devices run.7

Data is the new currency for all com-panies. Companies must do everything they can to identify and prioritise their data risks and implement controls before they suffer an attack or breach that would have a significant impact on their business. Therefore, some of the biggest concerns around protecting data are focused on protecting multiple end-points. IT staff are looking for solutions that help them secure their endpoints and manage them. This is where the convergence of endpoint operations and endpoint security comes into play.

Managing the endpoint means more than just the deployment and configura-tion of the device. It also includes vir-tualisation, patch management, compli-ance tracking, business continuity and security. And all aspects of the process must work intelligently together. This makes the endpoint management proc-ess, with all its related components, a complex beast to conquer.

Businesses will need to source solu-tions that protect against all the threats posed by mobile access and need to implement solutions/functionalities that address the following areas:• An end-to-end management platform

that consolidates endpoint operations, security, compliance and IT risk man-agement workflows for maximum vis-ibility and control.

• A platform that unifies the disparate IT functions of endpoint operations,

Figure 1: Top security threat concerns. Source: 2011 (ISC)2 Global Information Security Workforce Study.

FEATURE

May 2011 Computer Fraud & Security7

security, and compliance and risk management.

• A cohesive workflow solution that centralises control and provides end-to-end visibility through an integrat-ed web-based console that can be accessed by either group.

• Role-based access that allows IT secu-rity and IT operations to gather the data they need and ensure their objec-tives are being met.

• A platform architecture that allows extensions/plug-ins within a single promotable agent.

With the plethora of point solutions required to address the changing threat landscape, organisations are quickly realising that they can no longer add another point solution to address the lat-est security risk. A holistic approach to security is required and one that needs previously isolated technologies to work in tandem with each other. This integra-tion has seen a move towards a next-generation in security technology that is pulling together previous disparate technologies onto one platform. And, to catch-up with the latest security threats, from cyber-warfare to espionage and data theft, the industry has focused on collaboration, partnerships and merg-ers and acquisitions to drive change. A number of alliances has emerged, from the Cloud Security Alliance to the Global Risk Register community, to help drive change, through a concerted effort to help promote the use of best practice for providing security assurance.

Shift in security thinking

One technology area that has seen a con-certed effort to collaborate is intelligent whitelisting. IT organisations are moving away from using traditional forms of security to keep up with a rapidly chang-ing malware world and an increasingly sophisticated hacker community.

While application whitelisting is not an answer to all security woes, there are a number of areas in which it can ward off threats where traditional technolo-

gies, such as antivirus software, simply won’t work.

“Taking a whitelisting approach is proving to not only be much more manage-able and realistic, it’s also proven to be more effective”

Neil McDonald of Gartner stated in May 2010 that he had seen a significant increase in the number of organisations interested in application whitelisting.8 “I think we’ve finally turned a corner and are coming out of the ‘trough of disil-lusionment’ on the Gartner hype cycle,” McDonald blogged. He said the attack on Google “created a watershed moment that has raised the visibility on how ineffective traditional signature-based antivirus solutions really are”. The fact that there is a great deal of conversation among the analyst community actively referring to application whitelisting as an “integral security solution” shows that the technology has reached a potential tipping point.

Defence contractors are almost always facing consistent attacks from those insistent on hacking into systems to steal sensitive data. Until now, many of these defence contractors have been try-ing to use a combination of signature and behavioural solutions to manage attacks, at considerable expense and with questionable success. However, today these contractors can resist this continued, persistent threat by employ-ing new approaches that bring together key capabilities from application con-trol/whitelisting technology, but also integrate other capabilities from antivi-rus and patch management into a single workflow.

Large global organisations that face issues when it comes to bandwidth are also benefiting from a shift in security approach. The volume of anti-virus sig-natures has grown by leaps and bounds, to the point where it has become almost unmanageable. It’s simply unrealistic to try to transport this volume of data

through a network that might not be up to scratch. Furthermore, with the size of some of the signatures, the situation becomes virtually impossible to facilitate. Taking a whitelisting approach is prov-ing to not only be much more manage-able and realistic, it’s also proven to be more effective.

Whitelisting forum

Intelligentwhitelisting.com is an open forum that debates the merits of application whitelisting and the security technology’s evolving abil-ity to safeguard dynamic endpoints effectively and efficiently.

The site was created with collabo-ration and open dialogue in mind so that thoughts and opinions from across the security community are shared. There is a panel of experts ranging from analysts to security technology developers, who regular-ly contribute to the site, including: • Eric Ogren, founder of analyst

and research firm The Ogren Group.

• Larry Selzer, contributing edi-tor of PC Magazine and author of the Security Watch Blog (@lseltzer).

• Rich Mogull, analyst and CEO at Securosis (@rmogull).

• Richard Stiennon, author of ‘Surviving Cyberwar’ (@stien-non).

• Toney Jennings, president and CEO of CoreTrace (@security-incite).

• Mike Rothman, analyst and president at Securosis (@securi-tyincite).

• Paul Henry, forensic and securi-ty analyst, Lumension (@phen-rycissp).

The new forum is open to any-one wishing to contribute to the discussion around application whitelisting.

FEATURE

Computer Fraud & Security May 20118

Advances in technology

Whitelisting is not a new concept. It was born in the days when servers sat surrounded by a perimeter of security defences. Computers and devices arrived with all features, services, and ports turned off by default – and that’s where they stayed until someone explicitly authorised and enabled (or whitelisted) them. IT managers found this approach too restrictive, too inflexible, and too difficult to manage within the modern enterprise. The good news is that the days of this static environment have passed. Whitelisting is dynamic and is being hailed as the solution that could help to protect organisations from dynamic and highly sophisticated tar-geted attacks.

About the author

Paul Zimski serves as Lumension’s vice-president of solution strategy. He has

more than 12 years of experience in the IT security market and at Lumension he drives product strategy and positioning. Prior to Lumension, he served in various roles at Harris Corporation and Finjan Software.

References

1. Garretson, Rob. ‘IDC: Mobile Workers Will Pass 1 Billion in 2010’. CIOZone, 24 Feb 2010. Accessed Apr 2011. <http://www.ciozone.com/index.php/Mobile-and-Wireless/IDC-Mobile-Workers-Will-Pass-1-Billion-in-2010.html>.

2. Privacy Rights Clearinghouse. <http://www.privacyrights.org/>.

3. Testimony by Paul Kurtz to the House Permanent Select Committee on Intelligence, 19 Sep 2008.

4. Espiner, Tom. ‘Cybercrime polic-ing to get £63m boost’. ZDNet, 16 Feb 2011. Accessed Apr 2011. <http://www.zdnet.co.uk/news/secu-

rity/2011/02/16/cybercrime-policing-to-get-63m-boost-40091830/>.

5. Krebs, Brian. ‘Data breaches up almost 50%, affecting records of 35.7 million people’. Washingtonpost.com, 6 Jan 2009. Accessed Apr 2011. <http://www.washingtonpost.com/wp-dyn/content/article/2009/01/05/AR2009010503046.html>.

6. Cyber-Ark Software.7. ‘2011 (ISC)2 Global Information

Security Workforce Study’. Frost & Sullivan/(ISC)2. <https://www.isc2.org/uploadedFiles/Industry_Resources/FS_WP_ISC%20Study_020811_MLW_Web.pdf>.

8. MacDonald, Neil. ‘Application Control/Whitelisting Interest is Growing Rapidly’. Gartner, 11 May 2010. <http://blogs.gartner.com/neil_macdonald/2010/05/11/applica-tion-control-whitelisting-interest-is-growing-rapidly/>.

Social media strategies

Others, however, particularly in the business-to-consumer space, realised that if their employees were spending so much time on these sites, so were their customers. And that meant a social media ‘presence’ would be use-ful. In addition, there were forward-looking executives who suspected there might also be opportunities to use these technologies to improve internal com-

munications, collaboration, corporate knowledge management and access to fresh ideas and talent both within and beyond the traditional organisational walls. Some even saw it as a way to help bring down those walls – dissolving silos and flattening management hierarchies in support of business transformation programmes.

Top of the agendaFast forward to today and social media has shot up the corporate agenda. According to a global study published in February 2011 by Burson-Marsteller, 84% of Fortune 100 firms are using at least one of the four most popular social media platforms – Twitter (77%), Facebook (61%), YouTube (57%) or a corporate blog (36%).1 However, the study also noted that too many firms are using these platforms more like tradi-tional broadcast media, pushing out cor-porate news and campaigns rather than taking full advantage of the opportunity that social media gives them to engage

Jim MortlemanJim Mortleman, independent writer & consultant

Five years ago, the issue of social media was barely on any organisation’s radar. Most companies only started to take notice of the phenomenon around 2007–8, when they realised that a growing number of employees was spending a significant amount of time on a hitherto little-known site called Facebook. For some, it became such a problem in terms of eating up network bandwidth and employees’ time (not to mention opening up the organisation to security risks) that the most sensible solution seemed to be a blanket organisational ban on the use of the site and similar services.